- Регистрация
- 1 Мар 2015
- Сообщения
- 11,789
- Баллы
- 155
Email/Password
Reset password
Check for session tokens in the URL:
In the example above, we can see that the token is 3 digits. We can capture this request to Burp Suite, send it to intruder, highlighting the 123.
Then we generate a list of tokens.
crunch 3 3 -o otp.txt -t %%% -s 100 -e 200
Using Sniper Attack and Simple List payload, we can start the attack.
We then check for the longest content length, taking a peek at its response.
Basic Authentication
Input username and password, capture the request in Burp Suite, check out encoded credentials. We have an example of credentials encoded with Base64.
In this example the encoded credentials are under the Authorization: Basic <credentials>
As we decode it, we get the format username:password.
We can instead brute force our way in using or any other password list.
We add a prefix rule as the username.
We also add the Base64 encode rule as the credentials are encoded with Base64 and sent to the server.
We should also remove the character "=" (equal sign) from the encoding because base64 uses "=" for padding.
Start the attack and look out for the request with valid status code (200-399) and check its response.
Relics of the Past
Using , we can check past versions of sites, perhaps old unremoved directories which can act as a backdoor into the website.
We can install it onto our machine .
Example output:
user@tryhackme $ ./waybackurls tryhackme.com
[-- snip --]
[-- snip --]
By crafting specific search queries, known as Google Dorks, you can find information that wasn’t meant to be public. These queries can pull up everything from exposed administrative directories to logs containing passwords and indices of sensitive directories. For example:
Reset password
Check for session tokens in the URL:
In the example above, we can see that the token is 3 digits. We can capture this request to Burp Suite, send it to intruder, highlighting the 123.
Then we generate a list of tokens.
crunch 3 3 -o otp.txt -t %%% -s 100 -e 200
- 3: minimum digits
- 3: maximum digits
- -o otp.txt: output file
- -t %%%: output format
- -s 100: start from
- -e 200: ends at
Using Sniper Attack and Simple List payload, we can start the attack.
We then check for the longest content length, taking a peek at its response.
Basic Authentication
Input username and password, capture the request in Burp Suite, check out encoded credentials. We have an example of credentials encoded with Base64.
In this example the encoded credentials are under the Authorization: Basic <credentials>
As we decode it, we get the format username:password.
We can instead brute force our way in using or any other password list.
We add a prefix rule as the username.
We also add the Base64 encode rule as the credentials are encoded with Base64 and sent to the server.
We should also remove the character "=" (equal sign) from the encoding because base64 uses "=" for padding.
Start the attack and look out for the request with valid status code (200-399) and check its response.
Relics of the Past
Using , we can check past versions of sites, perhaps old unremoved directories which can act as a backdoor into the website.
We can install it onto our machine .
- git clone
- cd waybackurls
- sudo apt install golang-go -y
- go build
Example output:
user@tryhackme $ ./waybackurls tryhackme.com
[-- snip --]
[-- snip --]
By crafting specific search queries, known as Google Dorks, you can find information that wasn’t meant to be public. These queries can pull up everything from exposed administrative directories to logs containing passwords and indices of sensitive directories. For example:
- To find administrative panels: site:example.com inurl:admin
- To unearth log files with passwords: filetype:log "password" site:example.com
- To discover backup directories: intitle:"index of" "backup" site:example.com